The “Heartbleed” Bug has not been exterminated

Though the breaking news of the Heartbleed vulnerability is a month old, this doesn’t mean that this “bug” has been squashed.

There still remain about 318,000 servers that are vulnerable to this OpenSSL bug, according to security researchers, though this figure is about half of what it was a month ago.

The Errata Security blog announced they calculated the 318,000 via a recent global Internet scan, which also revealed that more than 1.5 million servers still remain supportive of this “heartbeat” thing.

And there may actually be a lot more servers “bugged” because the count applies only to verified cases. Nevertheless, why are there over 318,000 still affected a month after aggressive Heartbleed mitigation went into effect?

Fraudsters can use this bug to attack those 318,000 systems. This flaw in encryption leaves private data like credit card numbers and passwords open for the kill.

Though many of the giant services fixed this problem within a prompt timeline, the smaller services are still struggling with it, and hackers know this. A crook can identify the compromised server and then exploit the bug and steal the private data that’s in the server’s memory or take control of an online session.

If no vulnerability is detected, change your password for that site. After all, if a site has already been bugged, changing your password at that point is useless.

If vulnerability has been detected, then keep an eye on your account activity for signs of unauthorized activity.

After a site has been patched up, then change your password.

And this time (if you already didn’t originally), create a strong, long password. This means use a mix of characters (letters, numbers, symbols) and use more than eight. And don’t include a word that can be found in the dictionary unless your password is super long, such as “I eat Martians for breakfast.” (The spaces count.) This would be a nearly uncrackable password due to its length and nonsensicality. But so would the more difficult to remember Y48#dpkup3.

Consider a password manager for creating strong passwords and remembering them, such as McAfee SafeKey.

For better security use two-factor authentication. This involves a one-time code for each time someone tries to log into an account.

As ongoing protection consider a credit freeze and identity theft protection to prevent new account fraud.

Share this article

Robert Siciliano is a personal security and identity theft expert with more than 25 years of experience in security work, white-collar crime prevention, and self-defense. He is a television news correspondent, security analyst, Certified Identity Theft Risk Management Specialist, CEO of IDTheftSecurity.com, and author of The Safety Minute: Living on high alert - How to take control of your personal security and prevent fraud.